Applying Group Policy via Group Policy Winbind or SSSD

Picture

Group PolicyApplying Group Policy via Winbind or SSSD

5 MAY 2021

Copyright © SUSE 2021 2

PresentationAgenda

1. IntroductionBrief introduction to Group Policy

2. Samba Group Policies Policies currently available in 4.14, and soon to be

released in 4.15

3. ALT Linux Group Policy Integration Policies expected to be integrated in a future

release of Samba.

4. Getting Started How to get started with Group Policy on Linux

Insert Image

Copyright © SUSE 2021

Group Policy



What is a Group Policy Object (GPO)?

A GPO is a group of settings created using the Microsoft Management Console.Or, in Samba’s case, using the `samba-tool gpo` command.

Group Policies are stored on the SYSVOL network share.

GPOs are associated with Active Directory containers, such as sites, domains, and Ous.

GPOs are applied to clients in logical order; local polices, site polices, domain policies, then OU policies.


What is a Server Side Extension?

Microsoft provided two mechanisms for extending Group Policy.

ADMX: Administrative Templates. These xml files are placed in a specific directory on the SYSVOL, and indicate how the GPMC will display policy options.

GPMC Extension: These follow a specific C++ template to generate dialogs which integrate with the GPMC. Some Group Policy vendors (such as Vintela) use this extension method.

In Samba 4.15, we have the `samba-tool gpo manage` command, which implements the features of a GPMC Server Side Extension.

ALT Linux provides an ADMC graphical interface, which mimics the behavior of ADUC and GPMC.

SUSE Linux provides a YaST GPMC module for modifying some policies.


What is a Client Side Extension?

Client Side Extensions transfer policies from the SYSVOL to local policies on the machine.

Microsoft defines Client Side Extension libraries which must export specific function calls in order to apply policies on a Windows client.

In Samba, Client Side Extensions are implemented by inheriting from the `gp_ext` class and implementing the abstract methods of the class. Scan the QR code to learn more about creating a Samba Client Side Extension.


Samba Group Policies



What’s new?

smb.conf PoliciesThese policies allow you to distribute smb.conf parameters to Linux clients from a GPO. Just as in Windows, the parameters are processed for clients nested in or below the OU with which the GPO is linked.

Script PoliciesThese policies allow you to execute scripts on the clients. It creates Hourly, Daily, Weekly, and Monthly cron jobs on the client to execute the script. The script must already be present on the machine, or somewhere accessible to the client (such as on a network share).

Sudoers PoliciesThis policy distributes sudoer entries to clients. Entries are added to /etc/sudoers.d


What’s new?

Message PoliciesThese policies allow you to set the contents of /etc/motd and /etc/issue on the clients.


Available in Samba 4.14

These new policies are already available in Samba 4.14.

Next, some new policies which will be available in Samba 4.15.


What’s in the pipeline?

Host Access PoliciesThese policies control user account access to the host. It generates entries in /etc/security/access.d for the pam_access module.

Files PoliciesThese policies distribute files to clients. When creating the policy, files are uploaded to the SYSVOL share to be distributed to the client.

OpenSSH PoliciesThese policies apply OpenSSH settings to /etc/ssh/sshd_config.d.


What’s in the pipeline?

Startup Scripts PoliciesUnlike the existing Scripts policy, when setting Startup Scripts, they are uploaded to the SYSVOL share, allowing distribution of the scripts to clients. This policy also allows you to specify a single run of the script, meaning it will be executed once and not scheduled for running regularly.

Symlink PoliciesCreates a symlink on the host.

Additional VGP Policies (duplicates)These new policies in 4.15 mimic the behavior of Vintela’s proprietary Group Policy implementation, so there is some duplication via sudoers, and motd/issue messages policies.


Migration from VintelaGroup PolicyThe purpose of the new policies added in 4.15 are to provided a migration path from the proprietary Vintela authentication and Group Policy tool, to either Winbind or SSSD.


ALT LinuxGroup Policy Integration



Integration in progress

Igor and I have been working together to merge the ALT Linux gpupdate code into Samba’s Group Policy.

● Joining efforts allows us to bring more features to everybody.


What does ALT Linux gpupdate bring to Samba?

User PolicyWhile Samba’s Group Policy is capable of User Policy application, my efforts have focused on Machine Policy. ALT Linux has developed a number of User Policies which will be integrated into Samba.

Local PolicyALT Linux developed an approach to Local Policy application, which will be integrated into Samba’s Group Policy.

Registry ApplicationALT Linux retrieves policies from the SYSVOL, and stores them in the local Samba 3 Registry prior to deploying the policy on the system. This better aligns with the way policy is applied on Windows.


What policies?

Firefox/Chromium PoliciesThese policies apply the browser home page, and carries the potential for much more (using Mozilla’s ADMX preferences, for example).

CIFS Mount PoliciesThis policy mounts network drives specified in GPME/Preferences/ Windows Settings/Drive Maps as CIFS mounts on the client.

Printer PoliciesThis policy configures network printers via CUPS.


What policies?

Environment Variable PoliciesThis policy adds environment variables to the client which are specified in GPME/Preferences/ Windows Settings/Environment.

Firewall PoliciesThis policy adds firewall rules to the client which are specified in GPME/Policies/Windows Settings/Security Settings/Windows Firewall.

Folder PoliciesThis policy creates folders on the client which are specified in GPME/Preferences/ Windows Settings/Folders.


What policies?

Time Server PoliciesThis policy adds time servers to the client NTP configuration which are specified in GPME/Administrative Templates/System/Windows Time Service/Time Providers.

RPM Package PoliciesThis policy installs rpm packages as specified by the ALT ADMX package templates.

Shortcut PoliciesThis policy adds shortcuts to the client which are specified in GPME/Preferences/Windows Settings/Shortcuts.


Getting Started



Enabling Group Policy

Computer Group Policy is enabled on Winbind by setting:

apply group policies = yes

In smb.conf. Group Policy is applied using the command specified in smb.conf `gpo update command`.By default this is samba-gpupdate

Policy is applied every 90 to 120 minutes.

Currently there is no mechanism for automatically applying policy on SSSD (although this is easily accomplished with a cronjob).


Enabling Group Policy in the Future

ALT Linux provides a utility called oddjob-gpupdate for applying User and Computer policies.

Eventually this will probably be the standard for policy application, since it handles both User and Computer policy application, as well as providing a utility for both Winbind and SSSD.

oddjob-gpupdate also allows regular users to force Computer Policy application without requiring root access.


EnablingGroup Policy DEMO


Loading ADMX Templates

Samba ADMX Templates(Samba 4.14)samba-tool gpo admx load

Windows ADMX TemplatesDownload from:https://www.microsoft.com/en-us/download/102157

Then run:samba-tool gpo admx load --admx-dir=/location/of/windows/templates

ALT Linux Templates(gpupdate, and Samba >4.15)Download from:https://github.com/altlinux/admx-basealt/archive/refs/tags/0.1.4-alt1.zip

Then run:samba-tool gpo admx load --admx-dir=/location/of/altlinux/templates


LoadingADMX Templates DEMO


Using Group Policy Management Console

● Allows the modification of policies● ALT Linux provides an alternative, but is still in

development


Policies using samba-tool (Samba 4.15)

As of Samba 4.15, there is a new samba-tool command for modifying policies.

> samba-tool gpo manage


ModifyingPolicesDEMO

Picture

Thank youFor more information, contact SUSE at:

+1 800 796 3700 (U.S./Canada)

+49 (0)911-740 53-0 (Worldwide)

Maxfeldstrasse 5

90409 Nuremberg

www.suse.com

© 2020 SUSE LLC. All Rights Reserved. SUSE and the SUSE logo are registered trademarks of SUSE LLC in the United States and othercountries. All third-party trademarks are the property of their respective owners.

Applying Group Policy via Group Policy Winbind or SSSD

Documents

Transcript of Applying Group Policy via Group Policy Winbind or SSSD